
Microsoft has announced that passkeys will become the default authentication method for the Entra ID enterprise identity service starting September 2026.
Passkeys will be enabled automatically for Entra ID users now using phone-based SMS and voice authentication, which will be retired in February 2027 across all tenants.
However, users who are already signing into their accounts with passkeys, Windows Hello for Business, FIDO2 security keys, smart cards, or any other phishing-resistant method will be able to continue using those methods.
"As the rollout reaches each organization, users enabled for SMS or voice authentication will automatically be enabled for passkeys, and the next time they perform multifactor authentication, they'll be prompted to register a passkey," Microsoft said.
"Following this transition, on February 1, 2027, Microsoft will retire Microsoft-provided telecom delivery for SMS and voice authentication and will no longer offer SMS and voice as a native Microsoft Entra capability."
Before this date, organizations are advised to ensure that all users are using a phishing-resistant method to avoid sign-in disruptions, as they will no longer be able to use SMS or voice to complete multifactor authentication and sign in to their accounts.
Timeline for SMS/voice authentication retirement (Microsoft)Admins with the global reader, Authentication policy administrator, or Security reader roles enabled can find SMS or voice auth users by running the Entra SMS/Voice Policy Scanner PowerShell script.
Organizations that are still required to use phone-based authentication will need to configure third-party telecom providers through the Microsoft Security Store.
Microsoft provides step-by-step guidance on deploying and managing Entra ID phishing-resistant passwordless authentication on this dedicated documentation page.
Users are advised to move away from telephony-based authentication methods to block identity attacks and improve account security, as threat actors (including the ShinyHunters extortion gang) have heavily targeted Microsoft Entra single sign-on (SSO) accounts in a recent wave of SaaS data-theft attacks using stolen credentials.
"Microsoft Threat Intelligence has observed AI-enabled phishing campaigns reaching click-through rates as high as 54%, compared with roughly 12% for more traditional campaigns, making stolen passwords and phishable second factors an urgent risk," Microsoft added.
"By making passkeys the default authentication experience, organizations reduce reliance on phishable authentication methods and strengthen protection against credential theft and phishing."
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.










English (US) ·